A minor but interesting recent UK High Court data protection judgment has highlighted the issue of the remedy of ceasing data processing in the matter of AL-KO Kober Ltd & Mr. Paul Jones -v- Balvinder Sambhi T/AS Torquebars, which can be found here: http://www.5rb.com/wp-content/uploads/2017/10/Al-KO-Kober-Ltd-Anor-v-Balvinder-Sambhi-2017-EWHC-2474-QB.pdf.
The very basic facts of the case were as follows:
- The claimants were a UK business in the towing and trailer industry which manufactured two particular towing products, and the marketing manager of the business;
- The defendant was an individual who made various videos that were shown on the defendant’s YouTube channel which referred to the claimants’ above-mentioned towing products in a derogatory way;
- The marketing manager asked the defendant to remove the videos suggesting that the videos reflected badly on the business and that they contained untrue statements and suggestions;
- A telephone conversation took place between the claimant and the defendant which the latter recorded and who also continued making videos;
- Legal correspondence ensued, including the marketing manager’s lawyers providing a so-called “data subject notice” (see below) to the defendant requiring the defendant to cease processing the marketing manager’s personal data to which the defendant responded that the videos were in the “public domain”; and,
- Further videos appeared and the claimants eventually issued legal proceedings applying for an interim injunction in malicious falsehood for the claimant business and for an order under section 10(4) of the UK 1998 Data Protection Act requiring the defendant to cease processing the marketing manager’s personal data.
Both applications were granted – the focus below is exclusively on the data protection aspect.
Under Section 10(4) of the UK Data Protection Act 1998 (DPA 1998) where a data subject believes that a data controller has failed to comply with a valid request in a so-called “data subject notice” (as set out under the conditions of Section 10(1)&(3)) they may apply to a court for an order for compliance. A court will grant this application where it is satisfied that the data subject notice was justified and that the data controller has failed to take steps to comply with the notice. These cases are not common but a previous significant judgment in this field where the court granted a perpetual injunction concerns the so-called “Solicitors from Hell” 2011 Law Society and Others -v- Kordowski matter, which can be found here: http://www.bailii.org/ew/cases/EWHC/QB/2011/3185.html.
In the case at hand, for the purposes of Section 10(4) of DPA 1998, the court ruled that the marketing manager had provided the requisite data subject notice and that the defendant’s purported “public domain” defence does not exist under the DPA 1998 and therefore the defendant’s refusal to comply with the notice wasn’t justified. The judge stated that:
“It is clear from Mr Jones’s witness statement that he is suffering substantial damage and distress as a result of the processing of his personal data, in the various uses to which Mr Sambhi has put the Recording […] and other images of Mr Jones. The use of his personal data extends far beyond the sort of criticism which a senior employee of a large commercial organisation might have to put up with in the ordinary course. Mr Jones is being vilified and menaced by the way in which his personal data has been used and manipulated in the video. This is an unwarranted attack on him personal.”
Accordingly, the judge was persuaded that this was an appropriate case in which to order that the defendant “must not process, further process or cause or permit to be processed any audio recording, video recording, still photograph or other information, including by disclosing the same to the public, amounting to Mr Jones’s personal data for the purposes of the DPA ”. The judge also remarked as follows: “It is perhaps a footnote to this part of the Claimants’ application that Mr Sambhi is not, in any event, registered with the Information Commissioner. He should not be processing anyone’s data at all.”
In a regulatory enforcement context it should also be borne in mind that in the regulator’s armoury of available sanctions Article 58(2)(f) of GDPR gives a regulator the corrective power “to impose a temporary or definitive limitation including a ban on processing.”
For other articles that we have written about data protection compliance please see here: http://www.corderycompliance.com/category/data-protection-privacy/. Our FAQs and video on the EU General Data Protection Regulation (GDPR) can be found here www.bit.ly/gdprfaq .
Cordery also has a GDPR Navigator subscription service which includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details about this can be found here: www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|